Neighbor awareness networking password authentication

ABSTRACT

An apparatus comprises a memory and at least one processor in communication with the memory. The at least one processor is to detect, during a discovery window, a neighboring client station that is to perform peer-to-peer Wi-Fi communication via a Neighbor Awareness Networking (NAN) protocol and establish, via a negotiation after the discovery window, a datapath with the neighboring client station, wherein the negotiation includes an exchange of NAN data path setup attributes in parallel with an exchange of encryption cipher attributes and the encryption cipher is based on a simultaneous authentication of equals (SAE) protocol. The SAE protocol can be used to generate key material to encrypt the datapath.

CROSS-REFERENCE

This application claims benefit of U.S. Provisional Patent ApplicationNo. 62/779,699 filed Dec. 14, 2018, which is hereby incorporated hereinby reference.

FIELD

Embodiments described herein relate generally to neighbor awarenessnetworking and more specifically to neighbor awareness networkingpassword authentication.

BACKGROUND OF THE DESCRIPTION

Encryption can be used to secure data communication channels againsteavesdropping. Password or passphrases are often used as entropy for theencryption algorithm that is used to secure a data channel. However,passwords or passphrases that are not sufficiently complex may bevulnerable to brute force cracking, dictionary attacks, or other typesof attacks against the password or passphrase, which can compromise thesecurity of the data communication channel.

SUMMARY OF THE DESCRIPTION

Various embodiments and aspects of neighbor awareness networkingpassword authentication will be described herein. One embodimentprovides for an apparatus comprising a memory and at least one processorin communication with the memory. The at least one processor can detect,during a discovery window, a neighboring client station that is toperform peer-to-peer Wi-Fi communication via a Neighbor AwarenessNetworking (NAN) protocol and establish, via a negotiation after thediscovery window, a datapath with the neighboring client station,wherein the negotiation includes an exchange of NAN datapath setupattributes in parallel with an exchange of encryption cipher attributesand the encryption cipher is based on a simultaneous authentication ofequals (SAE) protocol. The SAE protocol can be used to generate keymaterial to encrypt the datapath.

One embodiment provides for a non-transitory machine-readable mediumstoring instructions to cause one or more processors of an electronicdevice to perform one or more operations comprising detecting, during adiscovery window, a neighboring client station that is to performpeer-to-peer Wi-Fi communication via a Neighbor Awareness Networking(NAN) protocol, negotiating, after the discovery window, NAN protocolparameters for a datapath with the neighboring client station, whereinthe negotiating includes exchanging NAN data path setup attributes inparallel with an exchange of attributes for an encryption cipher, theencryption cipher is based on a simultaneous authentication of equals(SAE) protocol, generating key material to encrypt the datapath usingthe SAE protocol, and establishing the datapath with the neighboringclient station.

The above summary does not include an exhaustive list of all embodimentsin this disclosure. All systems and methods can be practiced from allsuitable combinations of the various aspects and embodiments summarizedabove, and also those disclosed in the Detailed Description below.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments and aspects of a private federated learning systemwill be described herein, with reference to details discussed below. Thedescribed embodiments are illustrated by way of example and notlimitation in the figures of the accompanying drawings, in which likereferences indicate similar elements, and in which:

FIG. 1 is a schematic illustration of an overview of a networkenvironment in which data can be exchanged between multiple devices,according to some embodiments;

FIG. 2 illustrates a system in which NAN publish/subscribe message flowcan be performed;

FIG. 3 illustrates a system of one-way authentication to establish aconnection to facilitate a data exchange over Wi-Fi, according to anembodiment;

FIG. 4 illustrates a NAN compact SAE protocol, according to anembodiment;

FIG. 5 provides additional detail with respect to the integration of theSAE handshake in the NDP setup handshake, according to an embodiment;

FIG. 6 illustrates SAE recovery and re-setup, according to anembodiment;

FIG. 7 is a block diagram of a device architecture for a mobile orembedded device, according to an embodiment;

FIG. 8 is a block diagram of a computing system, according to anembodiment;

FIG. 9 illustrates a computing system including a secure processor,according to an embodiment; and

FIG. 10 is a flow diagram illustrating a method that enables a NANcompact SAE protocol, according to an embodiment.

DETAILED DESCRIPTION

Neighbor Awareness Networking Password Authentication can be performedusing a pairwise master key that can be derived from a key word or keyphrase that is known to both NAN peers. PMK-based security is effectivebut can be improved. Embodiments described herein provide techniques toimprove the security of NAN data path establishment without introducingmajor changes to the primitives and APIs provided by the NeighborAwareness Networking Specification (e.g., NAN version 3.0). In oneembodiment, NAN data paths are established and secured usingsimultaneous authentication of equals (SAE). Instead of using apre-shared PMK or static NFC code, a PMK is derived by using asymmetric(public/private keys) cryptographic techniques between the devices thatare to establish the secured data path. An attacker will be unable todetermine either the password or the resulting PMK via brute forcecracking, dictionary attacks, or other types of attacks against thepassword or passphrase.

Reference herein to “one embodiment” or “an embodiment” or “someembodiments” means that a particular feature, structure, orcharacteristic described in conjunction with the embodiment can beincluded in at least one embodiment. The appearances of the phrase“embodiment” in various places in the specification do not necessarilyall refer to the same embodiment. It should be noted that there could bevariations to the flow diagrams or the operations described thereinwithout departing from the embodiments described herein. For instance,operations can be performed in parallel, simultaneously, or in adifferent order than illustrated.

FIG. 1 is a schematic illustration of an overview of a networkenvironment 100 in which data can be exchanged between multiple devices,according to some embodiments. The network environment 100 can includeone or more electronic devices such as a tablet computer 102A, a desktopcomputer 102B, a television or set top box 102C, a mobile phone device102E, wearable device 102F, and/or a laptop computer 102G, which may bereferred to collectively as electronic devices 102. In one embodiment,electronic devices 102 within range of one another can establish adirect or peer-to-peer communication channel via a direct communicationlink (e.g., Bluetooth, infrared (IR), Wi-Fi, etc.). The direct or peerto peer communication channel can be established between devices using aneighbor awareness networking (NAN) protocol. The NAN protocol enableswireless devices to form NAN clusters and communicate over a NANnetwork. A NAN Network comprises NAN Devices that share a common set ofNAN parameters that include: the time period between consecutiveDiscovery Windows, the time duration of the Discovery Windows, thebeacon interval, and NAN Discovery Channel(s). A NAN cluster is acollection of NAN devices that share a common set of NAN parameters andare synchronized to the same Discovery Window schedule. A NAN Device cansend multicast NAN Service Discovery frames directly to other NANdevices within range in the same NAN Cluster during the DiscoveryWindow. A NAN Device can send unicast NAN Service Discovery framesdirectly to any other NAN Device within range in the same NAN Clusterduring the Discovery Window.

In addition to peer-to-peer connections, the electronic devices 102 canbe connected to a network 120, either directly or via a connection to abase station 130. The base station 130 can be, for example, a networkaccess device (e.g., a router, cellular base station or the like) whichprovides the electronic devices 102 with network access. The network 120can be any suitable type of wired or wireless network such as a localarea network (LAN), a wide area network (WAN), or combination thereof. ALAN can be implemented using various network connection technologiessuch as, but not limited to Ethernet, wireless LAN (e.g., Wi-Fi), and/orwireless personal area networks (WPAN). LAN communication over thenetwork 120 can be performed using network protocols such as, but notlimited to transmission control protocol (TCP) and Internet protocol(IP).

Before a peer-to-peer communication channel is established betweenelectronic devices 102, a peer discovery and pairing process isperformed between the devices. The peer discovery process enables theelectronic devices 102 to discover and preemptively establishconnections between before data is available to be synchronized betweenthe electronic devices 102. The peer discovery process, in someinstances, can also include user verification that communication theelectronic devices 102 should occur. In some embodiments, peer discoverycan leverage existing service discovery protocols that facilitatelocating devices and/or services on a wireless or other network, such asthe Simple Service Discovery Protocol (SSDP) developed by the UPnP Forumor the Bonjour networking technology developed by Apple Inc. (publishedas IETF RFC 6762 and IETF RFC 6763 and referred to herein as “Bonjour”).In a device discovery service, a device can advertise informationindicating its existence, address, and optionally additional informationabout its capabilities. Other devices can browse the advertisements andidentify devices of interest based on the broadcast information. Usingthe advertised address, a browsing device can initiate communicationwith the advertiser.

Depending on the network and discovery service, advertising canoptionally include real-time broadcasting of information (e.g., througha multicast or beacon signal) and/or providing advertisement informationto a central repository (e.g., at a network access point) from whichother devices can retrieve the information. Browsing of advertisementscan include detecting broadcast advertisements and/or retrievingadvertisement information from the central repository. In someembodiments, electronic devices that are attached to a power source,such as an electrical outlet, can continuously perform advertisement anddiscovery for the peer-to-peer connection service. Mobile user devicescan enable discovery of the peer-to-peer connection service based on thelocation of the user device. When one of the electronic devices 102 isdiscovered by another one of the electronic devices 102, a network dataconnection (e.g., TCP, UDP, etc.) can be established between thedevices.

In one embodiment, some devices, such as the wearable device 102F (e.g.,electronic watch device or another wearable electronic accessory) cansynchronize data over a peer-to-peer channel with another device (e.g.,a mobile phone device 102E) while also synchronizing data via aconnection over a network-centric channel via the network 120. Forexample, the wearable device 102F can have a primary synchronizationchannel with a companion electronic device, such the mobile phone device102E. The wearable device 102F can also receive synchronization datawhile the wearable device 102F is charging. In one embodiment, some datato be synchronized with the wearable device 102F can be synchronizedwith the mobile phone device 102E or another companion device. Dividingsynchronization duties between the wearable device 102F and the mobilephone device 102E can enable rich data to be delivered to the wearabledevice 102F in a timely manner without negatively impacting the powerand performance of the wearable device 102F.

FIG. 2 illustrates a system 200 in which NAN publish/subscribe messageflow can be performed. To enable security for the NAN data path, anauthentication system can be used. In one embodiment the authenticationsystem is a shared-key based protocol, for example, as introduced in NANprotocol version 2.0. NDP security setup supports multiple techniques toauthenticate peer devices and establish appropriate cryptographic keys.Multiple cryptographic methods are supported using cipher suites thatdescribe the set of algorithms and processing. The cipher suites may bebased on either symmetric (shared secret key) or asymmetric(public/private keys) cryptographic techniques. The cipher suites areidentified by cipher suite identifiers (CSIDs). Furthermore, a securitycontext identifier (SCID) can also be used to identify the context ofthe security setup and identifies any long-term keys that are used toestablish a security association. The security association can beestablished using a pairwise master key (PMK), which can be derived froma key word or key phrase that is known to both NAN peers.

A NAN data path (NDP) responder 202 can include an upper software layerthat includes service and application logic (e.g., service/app layer204) and a NAN system 206 that can include NAN host and firmware logic,where the NAN host can include one or more wireless hardware systems. AnNDP initiator 208 can include a NAN system 210 and upper software layers(e.g., service/app layer 212) that are similar to those of the NDPresponder 202.

Service/app layer 204 of the NDP responder 202 (e.g., Publisher) canadvertise supported CSID(s) and SCID(s) via a publish message 217 to theNAN system 206, which in turn can broadcast wireless publicationmessages 218. The NAN system 210 on an NDP initiator 208 (e.g.,subscriber) can also transmit a subscribe message 216 in response to asubscribe message 215 received from service/app layer 212. A discoveryresults message 219 containing published CSID(s) and SCID(s) is relayedfrom the NAN system 210 to the service/app layer 212 of the NDPinitiator 208. Service/app layer 212 can select a suitable CSID and SCIDand send a data request message 231 to NAN system 210 that includes thePMK associated with the SCID.

A four-way handshake (Data Path Request, Response, Confirm and SecurityInstall) can then be used to verify the PMK and install a pairwisetransient key (PTK), which is derived from the PMK. NAN system 210 canfirst transmit a data path request message 232 including the selectedCSID, SCID, and a key descriptor that contains key related information.A data indication message 233 and data response message 234 areexchanged between service/app layer 204 and NAN system 206, where dataresponse message 234 includes the SCID and the PMK associated with theSCID. NAN system 206 of the NDP responder 202 can then transmit a datapath response message 235 including the CSID, SCID, key descriptor, andoptional encrypted data, which can be encrypted key data. NAN system 210can reply with a data path confirm message 236 including the keydescriptor and optionally encrypted key data. NAN system 206 can thentransmit a data path security install message 237 to NAN system 210. NANsystem 206 and NAN system 210 can then send respective data confirmmessages 238, 239 to service/app layer 204 and service/app layer 212.The NDP responder 202 and NDP initiator 208 can then established asecured data communication channel 240.

PMK-based security is effective but can be improved. For example, if thePMK is derived using a static password or pass-phrase, the PMK may bevulnerable to a brute force key space search attack. Furthermore, along-term shared PMK may suffer from weak perfect forward secrecy,meaning past sessions may be vulnerable to future compromises of secretkeys. Some of these shortcomings may be overcome in the NAN context byusing a PMK derived by asymmetric (public/private keys) cryptographictechniques. In one proposed implementation, a secured NAN data pathsetup can be performed between devices using a negotiated NFC connectionhandover in which establishment of a secured NAN data path is negotiatedover NFC. In a negotiated NFC handover, one NFC capable device canpropose a set of carriers, security settings, and corresponding securitymaterial (such as its public key); and the other NFC capable device canselect one of the proposed carriers, one security setting, andcorresponding security material (such as its public key). An asymmetriccryptographic technique, such as Diffie-Hellman scheme, can then be usedto derive a PMK. A four-way handshake can then be used to verify the PMKand install a pairwise transient key (PTK), which is derived from thePMK. The PTK is then used to secure the negotiated NAN data path.

Due to device capability limitations, some device to devicecommunications cannot be performed using negotiated NFC connectionhandovers and are limited to the use of a one-way authenticationmethods. One-way authentication methods include the entry of a password,passphrase, or passcode that enables the establishment of a direct dataconnection. A user with a mobile device can scan a QR code thatrepresents a password, passphrase, or passcode. A device can also usenear-field communication (NFC) to perform a static NFC connectionhandover. A static NFC handover can occur between an NFC reader and anNFC tag that contains a static handover message, which may carry apassword, passphrase, or passcode. The NFC reader can analyze thehandover message and if the message contains valid data for a carrierthat the device supports, the device can initiate a correspondingconnection.

FIG. 3 illustrates a system 300 of one-way authentication to establish aconnection to facilitate a data exchange over Wi-Fi, according to anembodiment. One-way authentication can be performed using QR code scan,passcode input, and the like, and can also be performed using a staticNFC connection handover as shown in FIG. 3. Connection handovers can beused in cases in which the amount of data to be transferred is too largeto be transmitted over NFC or for situations in which data is to bestreamed for a longer time. Static handovers can be performed toestablishes a connection between an NFC device and an accessory orperipheral device. The NFC connection is used to set up an encrypteddata exchange via another data channel, such as Wi-Fi or Bluetooth.

Static NFC handover can occur between a handover selector 320 includinga host 324 and wireless data channel (e.g., alternate carrier 322, whichcan be Wi-Fi). The handover selector 320 can also include an NFC tag306. The NFC tag 306 can be a passive device that transmits data whenpowered via electromagnetic induction from an active NFC device, such asan NFC device 314 within a handover requester 310. The handoverrequester 310 can include a host 312 in communication with the NFCdevice 314 and one or more alternate wireless carriers (e.g., alternatecarrier 316, alternate carrier 318), such as, for example, Bluetooth andWi-Fi. Host 312 of the handover requester 310 and host 312 of thehandover selector 320 can be a processing system that includes anapplication processor, such as a processing system found in a smartphoneor tablet device. Alternate carriers 316, 318, 322 can each be wirelessprocessing systems that include a wireless radio and one or morewireless processors.

In one embodiment the handover selector 320 can select an alternatechannel over which a NAN data path can be established to perform a dataexchange. A handover select signal 302 can be sent via NFC uponenergizing the NFC tag 306. The handover select signal 302 can includedata to select a data exchange carrier, as well as data to encrypt thewireless channel over which a data exchange 304 is to occur. NAN datapaths that are established using a static NFC connection handover aresecure but can be improved much in the way that static PMK based NANconnections can be improved.

Embodiments described herein provide techniques to improve the securityof NAN data path establishment without introducing major changes to theprimitives and APIs provided by the Neighbor Awareness NetworkingSpecification (e.g., NAN version 3.0). In one embodiment, NAN data pathsare established and secured using simultaneous authentication of equals(SAE). Instead of using a pre-shared PMK or static NFC code, a PMK isderived by using asymmetric (public/private keys) cryptographictechniques between the devices that are to establish the secured datapath. An attacker will be unable to determine either the password or theresulting PMK by passively observing an exchange or by interposingitself into the exchange by faithfully relaying messages between the twodevices. Furthermore, an attacker is unable to determine either thepassword or the resulting shared key by modifying, forging, or replayingframes to an uncorrupted device. An attacker us unable to performoffline dictionary attacks on the system. Instead, the attacker islimited to one guess at the password per attack. Additionally,compromising a PMK from a previous run of the protocol does not provideany advantage to an adversary attempting to determine the password orthe shared key from any other instance.

One way to introduce SAE into NAN is to introduce an SAE handshake togenerate a PMK, rather than using a pre-shared PMK. Aservice/application layer in one device can obtain a password from apeer device by using an out-of-band (00B) channel, such as via direct UIpassword input, a QR code scan, or an NFC tag read. The passwordacquisition may happen before NAN operations and can trigger NANsynchronization and discovery. The password acquisition may also happenafter the NAN service discovery and may be triggered by NAN servicediscovery (follow-up) operation. When the service subscriber decides toestablish a secured NDP with the service publisher, it can first startan SAE handshake to generate PMK and then continue with the secured NDPsetup handshake.

However, direct injection of the SAE protocol in NAN by adding an SAEhandshake on top of secured NDP setup introduces significant overheadinto the NDP setup process. NDP setup on top of SAE may takesignificantly longer than previous versions and can damage the overalluser experience. Furthermore, significant design complications areintroduced when attempting to manage new SAE primitives and logicconnections alongside existing NAN data path and NAN data link (NDL)primitives.

Instead, embodiments described herein provide for a NAN compact SAEprotocol that allows the SAE handshake to be encapsulated into thesecured NDP setup handshake. The NAN compact SAE protocol does notrequire any major changes to the existing NAN primitives or API andintroduces zero overhead on top of the existing secured NDP setupprotocol. In other embodiments described herein the NAN compact SAEprotocol is extended to enable additional functionality including SAErecovery and re-setup, SAE password pre-processing, and can enable theuse of a default SAE password for services or applications that do notprovide an OOB password provisioning method.

In one embodiment, SAE recovery is enabled to cover a scenario in whicha kernel crash occurs and the NAN firmware on a device loses all keymaterial. SAE recovery enables the NAN host to recover the secured NDPwithout service/application involvement. In one embodiment, SAE re-setupenables the NAN device pair to re-establish a new secured NDP withoutconducting OOB authentication again, after the initial NDP isterminated.

In one embodiment, SAE password preprocessing is enabled to preventplaintext password data being exposed when passing from theservice/application layer to NAN layer. Instead of passing the passwordas plaintext, the OOB password is preprocessed to produce a binarystring (binary password) before being passed to the NAN layer and usedas input to SAE handshake.

In one embodiment a default SAE password is used in scenarios in which aservice/application does not provide an OOB password provisioning methodfor NAN. A default SAE password can be used to generate anunauthenticated PMK/PTK, which enables data exchanged between the devicepair to be encrypted at NAN layer to prevent the leaking of privacysensitive information or data that can be used for device tracking.

FIG. 4 illustrates a NAN compact SAE protocol, according to anembodiment. An NDP responder 402 and NDP initiator 408 can include aservice/app layer 404, 412 and NAN layer 406, 410 as in FIG. 2. An OOBpassword 414 can be obtained by one device from the other device usingdirect input, a QR code, NFC tag, etc. The OOB password 414 can beobtained before NAN operations, such as before subscribe message 415,416 (optional) and publish message 417, 418. Obtaining the OOB password414, in such instance, can trigger NAN synchronization and discovery.The OOB password 414 can also be obtained after NAN service discoveryusing NAN service discovery follow-up messages (e.g., message 421, 423).The publish messages 417, 418 can indicate to the subscriber (e.g., NDPinitiator 408) that the supported cypher suite is a version of SAE. NANlayer 410 can then send a discovery result message 419 to service/applayer 412. Service/app layer 412 can respond with a transmit message420. If the OOB password 414 has not yet been obtained, NAN layer 410can send follow-up message to request a password. Follow-up message 421can contain a Service Descriptor Extension attribute (SDEA) that carriesa password request. A receive message 421 and transmit message 422 canbe exchanged between service/app layer 404 and NAN layer 406 to reportthe password request and respond to the password request. NAN layer 406can then transmit a follow-up message back to NAN layer 410. Follow-upmessage 423 can contain a Service Descriptor Extension attribute (SDEA)that carries a response to the password request. A receive message 424can be relayed from NAN layer 410 and service/app layer 412 to indicatethe status of the password request. If the password request is accepted,the service/app layer 404 and 412 can trigger an OOB method to acquirethe OOB password 414.

Once the OOB password 414 is obtained, either before or after servicediscovery, a binary password can be generated at the service/applicationlayer that obtains the password. For example, where the NDP initiator408 receives a password provided by the NDP responder 402, theservice/app layer 412 can generate a binary password based on the OOBpassword 414. In one embodiment, the binary password can be calculated(409) using hash function H, where binary password=H(plaintext password,version, Service Name, Service Instance Name (or Host Name), . . . ).Hash function H can be one of multiple potential hash functions. In oneembodiment the hash function can be the password-based key derivationfunction (e.g., PBKDF1, PBKDF2, etc.), the SipHash function, or anotherhash function that enables sufficient randomization.

In one embodiment a default SAE password is used in scenarios in which aservice/application does not provide an OOB password provisioning methodfor NAN. A default SAE password can be used to generate anunauthenticated PMK/PTK, which enables data exchanged between the devicepair to be encrypted at NAN layer to prevent the leaking of privacysensitive information or data that can be used for device tracking. Inone embodiment the default SAE password is a binary password that isgenerated in a manner to minimize potential collision with a binarypassword generated based on a non-default password. For example, abinary password can be generated using hash function H_(d), where binarypassword=H_(d) (“default SAE password”, version, Service Name, ServiceInstance Name (or Host Name), . . . ). Hash function H_(d) can be anyhash function described herein and may differ from hash function H thatis used to generate the non-default binary password. Additionally, adifferent or special version number, seed, or key can be used togenerate the default password than what is used to generate anon-default password.

Once a binary password for a default or non-default password isgenerated, service/app layer 412 can send a data request message 431including the binary password to NAN layer 410. NAN layer 410 can thensend a data path request message 432 that includes NAN parameters suchas NAN data path extension (NDPE) attribute, cipher suite informationattribute (CSIA), SAE attribute (SAEA), and shared key descriptorattribute (SKDA) parameters. The SAEA can include the NDP Initiator'sSAE commit parameters. Service/app layer 404 and NAN layer 406 can thenexchange a data indication message 433 and a data response message 434,where the data response message 434 includes a binary password. TheNDPE, CSIA, SCIA, SKDA, and SAEA that includes the NDP Responder's SAEcommit parameters can be sent from the NDP responder 402 to the NDPinitiator 408 via the NAN data path response (e.g., message 435). TheNDP initiator 408 can confirm via data path confirm message 435including SKDA and SAEA that includes the NDP Initiator's SAE confirmparameters. The NDP responder 402 can then confirm via data pathsecurity install message 437, which also includes the SKDA and SAEA thatincludes the NDP Responder's SAE confirm parameters. NAN layer 406 andNAN layer 410 can then send respective data confirm message 438 and dataconfirm message 439 to service/app layer 404 and service/app layer 412.A secured data communication channel 440 can then be established betweenthe NDP responder 402 and the NDP initiator 408.

FIG. 5 provides additional detail with respect to the integration of theSAE handshake in the NDP setup handshake, according to an embodiment. Inone embodiment the SAE handshake is integrated in the NDP setuphandshake by integrating SAE handshake attributes within the messages ofthe NDP setup handshake. The SAE attributes enable runtime derivation ofa PMK and PTK during the NDP handshake using SAE. Within thefour-message NDP setup handshake, M1 (data path request) and M2 (datapath response) convey security material used to derive the PMK and PTK.The PMK identifier (PMKID) is verified in M2 and M3, rather than in M1and M2 as in previous NAN versions (e.g., NAN version 3.0, 2.0, etc.).Security capabilities, SAE commit/confirm material, and PTK derivationmaterial are verified by message integrity codes (MICs) in M2, M3, andM4.

In one embodiment, service/app layer 412 can send a data request message531 including a binary password to NAN layer 410. NAN layer 410 can thensend a data path request message 532 (NDP handshake M1) NDPE, CSIA, andSKDA parameters. The NDPE can specify NAN data path extension attributesthat are used during the NDP handshake, such as NDPE control variables.The SKDA can include an initiator provided cryptographic nonce value(I-Nonce). To indicate support for SAE, the CSIA can specify the NCS-SAEcipher suite. Additionally, SAE parameters can be carried by the SAEA.The SAEA can include scalar and element field data (scalar-I+element-I)that are derived from the binary password input and two random numbersat the NDP initiator 408. Other SAE parameters can also be relayed viathe SAEA.

NAN layer 406 at the NDP responder 402 can receive the parameters withinthe data path request message 532 and send a data indication message 533to service/app layer 404. Service/app layer 404 can reply with a dataresponse message 534 that includes the binary password associated withthe 00B password presented or transmitted to the NDP initiator 408. NANlayer 406 can then derive key material 514, which includes a PMK, PMKID,and PTK.

The NDP responder 402, via NAN layer 406, can send a data path responsemessage 535 (NDP handshake M2) that includes NDP and SAE handshakeparameters. Data path response message 535 can include NDPE, SCIA, SCIA,SAEA, and SKDA parameters. The CSIA can publish support for NCS-SAEcipher suite. The SCIA can include the PMKID from key material 514. TheSAEA can include the scalar and element field data (scalar R+element R)that are derived from the binary password data within data responsemessage 534. The SKDA can include a responder provided nonce value(R-Nonce) and a message integrity code for message M2.

NAN layer 410, after receiving the data path response message 535 canthen derive key material 516, which includes a PMK, PMKID, and PTK. TheNDP initiator 408, via NAN layer 410, can then send a data pathconfirmation message 536 (NDP handshake M3) including an SCIA thatincludes the PMKID from key material 516 and an SAEA that includes SAEconfirmation data (confirm-I) from the NDP initiator 408. The NDPresponder 402 can then send the data path security install message 537(NDP handshake M4) that includes SAE confirmation data (confirm-R) fromthe NDP responder 402. NAN layer 406 and NAN layer 410 can then sendrespective data confirm message 538 and data confirm message 539 toservice/app layer 404 and service/app layer 412 to confirm thecompletion of the NDP and SAE handshakes. A secured data communicationchannel 540 can then be established between the NDP responder 402 andthe NDP initiator 408. Should any of the SAE commit or confirmationstages fail to authenticate, the secured data communication channel 540will not be established.

In one embodiment, SAE recovery and re-setup are enabled to cover thescenarios in which: 1) a kernel crash occurs and the NAN firmware on adevice loses all key material; 2) an initial NDP is terminated and a newNDP is re-established using the same OOB password. SAE recovery enablesthe NAN host to recover the secured NDP without service/applicationinvolvement. SAE re-setup enables a NAN device pair to re-establish anew NDP, after the initial NDP is terminated, without conducting OOBauthentication again. NDP recovery and NDP re-setup may be performedusing a variety of different PMK material caching strategies. The PMKmaterial caching strategies are designed while weighing the ease ofsession recovery with the safety of passing certain key material betweenservice/application layers, NAN hosts, and NAN firmware. For example, itmay be safe to pass and store PMK in a NAN Host for NDP recoverypurpose, but it may be risky to pass and store the PMK in theservice/application layer.

FIG. 6 illustrates SAE recovery and re-setup, according to anembodiment. SAE recovery and re-setup can be performed between an NDPresponder 602 and an NDP initiator 608, which can be similar to otherNDP responders and initiators described herein. NDP responder 602includes a service/app layer 604 and a NAN layer that includes a NANhost 605 and NAN firmware 606. NDP initiator 608 also includes a NANlayer that includes NAN firmware 610 and a NAN host 611, as well as aservice/app layer 612.

An 00B password 614 can be obtained via a variety of mechanism describedpreviously, including input, QR code, NFC tag, etc. Secured NDP setupusing SAE 615 can be performed using techniques shown in FIG. 4 and FIG.5. Once PMK and PMKID are derived and verified, PMK material can bepassed to the NAN host 605, 611 and service/app layers 604, 612 for NDPrecovery or NDP re-setup purposes. For example, NAN firmware 606 and NANfirmware 610 can then send respective data confirm messages 616, 617that contain PMK information. The service/app layers 604, 612 and NANhost 605, 611 can then perform operations to store key material. Toenhance security, not all key material is stored with either theservice/app layers or NAN host layers. Instead, the stored key materialis divided into PMK material A and PMK material B. Service/app layers604, 612 can perform operations 618, 621 to store PMK material B. NANhosts 605, 611 can perform operations 619, 620 to store PMK material A.Once key material is stored, a secured data communication channel 622 isestablished between the NDP responder 402 and the NDP initiator 408.

The specific contents of PMK material A and PMK material B can varyacross embodiments. In one embodiment, PMKID and element parameters(such as PE, msk and/or element) can be passed to the NAN host layers orthe service/app layers for NDP recovery or NDP re-setup purposes, toavoid repeated calculations. Other PMK generation material, such as rndis deleted, and should be newly generated in NDP recovery and NDPre-setup, for forward secrecy protection. When NDP recovery or NDPre-setup is triggered, the NAN host layer or service/app layer passesthe stored PMK material to the NAN firmware. The NAN firmware reuses thestored PMK material and newly generated material (e.g. rnd) in the SAEhandshake, which results in a new PMK. Alternatively, only the PMKID maybe stored by both the NAN host and service/app layers. The PMKID can becalculated as Truncate-128 (Hash (element-I|element-R)). When NDPrecovery or NDP re-setup is triggered, the NAN host layer or service/applayer passes the stored password (e.g., binary password) and PMKID backto the NAN firmware. The NAN firmware will then redo the SAE cipher togenerate a new PMK.

Crash recovery according to one embodiment is shown in FIG. 6. Should acrash occur in the NAN firmware of a device, key material for thatdevice may be lost. For example, should a crash 625 occur within NANfirmware 606 that results in the loss of key material, a secured NDPrecovery operation 628 can be performed using PMK material A held by NANhost 605. NAN host 605 can send a data recovery request message 626including stored PMK material A to NAN firmware 606 to request thesecured NDP recovery operation 628. NAN host 611 can also send a datarecovery response message 627 including PMK material A. Once the securedNDP recovery operation 628 is performed, conformation messages 629A-629Bcan be sent to NAN host 605, 611, which can perform operations 630A-630Bto store updated PMK material A′. A secured data communication session631 can then be re-established without re-input of the 00B password 614.

Session re-establishment, according to one embodiment, is also shown inFIG. 6. When a secured data communication session terminates, theservice/app layer of a terminating device can send a data end message632 to the NAN firmware of the terminating device. A data pathtermination message 633 can be sent to the NAN firmware of the otherdevice, which can then relay a data termination message 634 to theservice/app layer of the other device. Either the NDP responder 602 orthe NDP initiator 608 can terminate the session. Upon sessiontermination, the NAN firmware 606, 610 of both devices can perform anoperation 635A-635B to delete all key material.

In one embodiment, a portion of the key material can be retained by theNAN host and software/app layers of the devices. For example, in oneembodiment the service/app layers 604, 612 may retain the PMKID. Aservice publication message 636 can be sent from service/app layer 604to NAN firmware 606. NAN firmware 606 can then send a message 637 thatcontains the PMKID. NAN firmware 610 can relay a discovery resultmessage 638 containing the PMKID of message 637. Service/app layer 612can send a data request message 639 that includes stored the PMKmaterial B that corresponds with the PMKID. Service/app layer 604 cansend a data response message 640 that includes stored PMK material B. Asecured NDP re-setup operation 641 can then be performed using PMKmaterial B. Once the secured NDP re-setup operation 641 is complete, NANfirmware 606 and NAN firmware 610 can then send respective data confirmmessages 648, 649 to service/app layer 604 and service/app layer 612.The NDP responder 602 and NDP initiator 608 can then re-establish asecured data communication channel 650 without requiring re-entry of the00B password 614.

FIG. 7 is a block diagram of a device architecture 700 for a mobile orembedded device, according to an embodiment. The device architecture 700includes a memory interface 702, a processing system 704 including oneor more data processors, image processors and/or graphics processingunits, and a peripherals interface 706. The various components can becoupled by one or more communication buses or signal lines. The variouscomponents can be separate logical components or devices or can beintegrated in one or more integrated circuits, such as in a system on achip integrated circuit.

The memory interface 702 can be coupled to memory 750, which can includehigh-speed random-access memory such as static random-access memory(SRAM) or dynamic random-access memory (DRAM) and/or non-volatilememory, such as but not limited to flash memory (e.g., NAND flash, NORflash, etc.).

Sensors, devices, and subsystems can be coupled to the peripheralsinterface 706 to facilitate multiple functionalities. For example, amotion sensor 710, a light sensor 712, and a proximity sensor 714 can becoupled to the peripherals interface 706 to facilitate the mobile devicefunctionality. One or more biometric sensor(s) 715 may also be present,such as a fingerprint scanner for fingerprint recognition or an imagesensor for facial recognition. Other sensors 716 can also be connectedto the peripherals interface 706, such as a positioning system (e.g.,GPS receiver), a temperature sensor, or other sensing device, tofacilitate related functionalities. A camera subsystem 720 and anoptical sensor 722, e.g., a charged coupled device (CCD) or acomplementary metal-oxide semiconductor (CMOS) optical sensor, can beutilized to facilitate camera functions, such as recording photographsand video clips.

Communication functions can be facilitated through one or more wirelesscommunication subsystems 724, which can include radio frequencyreceivers and transmitters and/or optical (e.g., infrared) receivers andtransmitters. The specific design and implementation of the wirelesscommunication subsystems 724 can depend on the communication network(s)over which a mobile device is intended to operate. For example, a mobiledevice including the illustrated device architecture 700 can includewireless communication subsystems 724 designed to operate over a GSMnetwork, a CDMA network, an LTE network, a Wi-Fi network, a Bluetoothnetwork, or any other wireless network. In particular, the wirelesscommunication subsystems 724 can provide a communications mechanism overwhich a media playback application can retrieve resources from a remotemedia server or scheduled events from a remote calendar or event server.

An audio subsystem 726 can be coupled to a speaker 728 and a microphone730 to facilitate voice-enabled functions, such as voice recognition,voice replication, digital recording, and telephony functions. In smartmedia devices described herein, the audio subsystem 726 can be ahigh-quality audio system including support for virtual surround sound.

The I/O subsystem 740 can include a touch screen controller 742 and/orother input controller(s) 745. For computing devices including a displaydevice, the touch screen controller 742 can be coupled to a touchsensitive display system 746 (e.g., touch-screen). The touch sensitivedisplay system 746 and touch screen controller 742 can, for example,detect contact and movement and/or pressure using any of a plurality oftouch and pressure sensing technologies, including but not limited tocapacitive, resistive, infrared, and surface acoustic wave technologies,as well as other proximity sensor arrays or other elements fordetermining one or more points of contact with a touch sensitive displaysystem 746. Display output for the touch sensitive display system 746can be generated by a display controller 743. In one embodiment, thedisplay controller 743 can provide frame data to the touch sensitivedisplay system 746 at a variable frame rate.

In one embodiment, a sensor controller 744 is included to monitor,control, and/or processes data received from one or more of the motionsensor 710, light sensor 712, proximity sensor 714, or other sensors716. The sensor controller 744 can include logic to interpret sensordata to determine the occurrence of one of more motion events oractivities by analysis of the sensor data from the sensors.

In one embodiment, the I/O subsystem 740 includes other inputcontroller(s) 745 that can be coupled to other input/control devices748, such as one or more buttons, rocker switches, thumb-wheel, infraredport, USB port, and/or a pointer device such as a stylus, or controldevices such as an up/down button for volume control of the speaker 728and/or the microphone 730.

In one embodiment, the memory 750 coupled to the memory interface 702can store instructions for an operating system 752, including portableoperating system interface (POSIX) compliant and non-compliant operatingsystem or an embedded operating system. The operating system 752 mayinclude instructions for handling basic system services and forperforming hardware dependent tasks. In some implementations, theoperating system 752 can be a kernel.

The memory 750 can also store communication instructions 754 tofacilitate communicating with one or more additional devices, one ormore computers and/or one or more servers, for example, to retrieve webresources from remote web servers. The memory 750 can also include userinterface instructions 756, including graphical user interfaceinstructions to facilitate graphic user interface processing.

Additionally, the memory 750 can store sensor processing instructions758 to facilitate sensor-related processing and functions; telephonyinstructions 760 to facilitate telephone-related processes andfunctions; messaging instructions 762 to facilitate electronic-messagingrelated processes and functions; web browser instructions 764 tofacilitate web browsing-related processes and functions; mediaprocessing instructions 766 to facilitate media processing-relatedprocesses and functions; location services instructions including GPSand/or navigation instructions 768 and Wi-Fi based location instructionsto facilitate location based functionality; camera instructions 770 tofacilitate camera-related processes and functions; and/or other softwareinstructions 772 to facilitate other processes and functions, e.g.,security processes and functions, and processes and functions related tothe systems. The memory 750 may also store other software instructionssuch as web video instructions to facilitate web video-related processesand functions; and/or web shopping instructions to facilitate webshopping-related processes and functions. In some implementations, themedia processing instructions 766 are divided into audio processinginstructions and video processing instructions to facilitate audioprocessing-related processes and functions and video processing-relatedprocesses and functions, respectively. A mobile equipment identifier,such as an International Mobile Equipment Identity (IMEI) 774 or asimilar hardware identifier can also be stored in memory 750.

Each of the above identified instructions and applications cancorrespond to a set of instructions for performing one or more functionsdescribed above. These instructions need not be implemented as separatesoftware programs, procedures, or modules. The memory 750 can includeadditional instructions or fewer instructions. Furthermore, variousfunctions may be implemented in hardware and/or in software, includingin one or more signal processing and/or application specific integratedcircuits.

FIG. 8 is a block diagram of a computing system 800, according to anembodiment. The illustrated computing system 800 is intended torepresent a range of computing systems (either wired or wireless)including, for example, desktop computer systems, laptop computersystems, tablet computer systems, cellular telephones, personal digitalassistants (PDAs) including cellular-enabled PDAs, set top boxes,entertainment systems or other consumer electronic devices, smartappliance devices, or one or more implementations of a smart mediaplayback device. Alternative computing systems may include more, fewerand/or different components. The computing system 800 can be used toprovide the computing device and/or a server device to which thecomputing device may connect.

The computing system 800 includes bus 835 or other communication deviceto communicate information, and processor(s) 810 coupled to bus 835 thatmay process information. While the computing system 800 is illustratedwith a single processor, the computing system 800 may include multipleprocessors and/or co-processors. The computing system 800 further mayinclude memory 820, such as random-access memory (RAM) or other dynamicstorage device coupled to the bus 835. The memory 820 may storeinformation and instructions that may be executed by processor(s) 810.The memory 820 may also be used to store temporary variables or otherintermediate information during execution of instructions by theprocessor(s) 810.

The computing system 800 may also include read only memory (ROM) 830and/or another data storage device 840 coupled to the bus 835 that maystore information and instructions for the processor(s) 810. The datastorage device 840 can be or include a variety of storage devices, suchas a flash memory device, a magnetic disk, or an optical disc and may becoupled to computing system 800 via the bus 835 or via a remoteperipheral interface.

The computing system 800 may also be coupled, via the bus 835, to adisplay device 850 to display information to a user. The computingsystem 800 can also include an alphanumeric input device 860, includingalphanumeric and other keys, which may be coupled to bus 835 tocommunicate information and command selections to processor(s) 810.Another type of user input device includes a cursor control 870 device,such as a touchpad, a mouse, a trackball, or cursor direction keys tocommunicate direction information and command selections to processor(s)810 and to control cursor movement on the display device 850. Thecomputing system 800 may also receive user input from a remote devicethat is communicatively coupled via one or more network interface(s)880.

The computing system 800 further may include one or more networkinterface(s) 880 to provide access to a network, such as a local areanetwork. The network interface(s) 880 may include, for example, awireless network interface having antenna 885, which may represent oneor more antenna(e). The computing system 800 can include multiplewireless network interfaces such as a combination of Wi-Fi, Bluetooth®,near field communication (NFC), and/or cellular telephony interfaces.The network interface(s) 880 may also include, for example, a wirednetwork interface to communicate with remote devices via network cable887, which may be, for example, an Ethernet cable, a coaxial cable, afiber optic cable, a serial cable, or a parallel cable.

In one embodiment, the network interface(s) 880 may provide access to alocal area network, for example, by conforming to IEEE 802.11 standards,and/or the wireless network interface may provide access to a personalarea network, for example, by conforming to Bluetooth standards. Otherwireless network interfaces and/or protocols can also be supported. Inaddition to, or instead of, communication via wireless LAN standards,network interface(s) 880 may provide wireless communications using, forexample, Time Division, Multiple Access (TDMA) protocols, Global Systemfor Mobile Communications (GSM) protocols, Code Division, MultipleAccess (CDMA) protocols, Long Term Evolution (LTE) protocols, and/or anyother type of wireless communications protocol.

The computing system 800 can further include one or more energy sources805 and one or more energy measurement systems 845. Energy sources 805can include an AC/DC adapter coupled to an external power source, one ormore batteries, one or more charge storage devices, a USB charger, orother energy source. Energy measurement systems include at least onevoltage or amperage measuring device that can measure energy consumed bythe computing system 800 during a predetermined period of time.Additionally, one or more energy measurement systems can be includedthat measure, e.g., energy consumed by a display device, coolingsubsystem, Wi-Fi subsystem, or other frequently used or high-energyconsumption subsystem.

In some embodiments, the hash functions described herein can utilizespecialized hardware circuitry (or firmware) of the system (clientdevice or server). For example, the function can be ahardware-accelerated function. In addition, in some embodiments, thesystem can use a function that is part of a specialized instruction set.For example, the hardware can use an instruction set which may be anextension to an instruction set architecture for a particular type ofmicroprocessors. Accordingly, in an embodiment, the system can provide ahardware-accelerated mechanism for performing cryptographic operationsto improve the speed of performing the functions described herein usingthese instruction sets.

In addition, the hardware-accelerated engines/functions are contemplatedto include any implementations in hardware, firmware, or combinationthereof, including various configurations which can includehardware/firmware integrated into the SoC as a separate processor, orincluded as special purpose CPU (or core), or integrated in acoprocessor on the circuit board, or contained on a chip of an extensioncircuit board, etc.

FIG. 9 illustrates a computing system 900 including a secure processor,according to an embodiment. In one embodiment the illustrated secureprocessor 903 is a secure enclave processor, although other types ofsecure processors may be used to accelerate cryptographic operationsdescribed herein. The computing system 900 can enable a device toperform secure accelerated cryptographic operations, to provide securestorage for a subset of private keys, and to enable the encryption ofother private keys. A version of the computing system 900 can beincluded in a primary device (e.g., smartphone) and a secondary device(e.g., computing device, wearable device, wireless accessory) asdescribed herein.

The computing system 900 includes an application processor 921 that iscommunicably coupled with a secure processor 903 via a secure interface919. The computing system 900 can be a portion of any of the clientdevices described herein. Additionally, the computing system 900 can beincluded into one or more of the servers described herein. In oneembodiment, the secure processor 903 can be implemented as a system onchip. In another embodiment, the application processor 921 and thesecure processor 903 can be implemented on a system on chip and includeone or more processors and memory controllers and other components on asingle integrated circuit.

The secure processor 903 can perform cryptographic operations asdescribed herein, as well as other system security operations such asencrypting user files or verifying code signatures, processing userpasscodes, or performing other security operations. The cryptographicoperations can be performed in part by the secure processor core 915 byexecuting software stored as firmware 911 in the secure processor 903.The secure processor core 915 can also be coupled to a ROM 913 which canbe trusted software that can validate the software in the firmware 911before allowing that firmware to execute by checking a code signature ofthe firmware and verifying that the signature code indicates that thefirmware is valid and has not been corrupted before allowing thefirmware to be executed by the secure processor core 915.

The secure processor 903 can also include a cryptographic acceleratorsuch as cryptographic accelerator 907 which can perform asymmetriccryptography as well as symmetric cryptography using a hardwareaccelerator. The cryptographic accelerator 907 can be coupled to memory905, which may be non-volatile and immutable memory that can be used tostore a device identifier or a set of device identifiers a securemanner. The memory 905 can also be used to store a set of one or morecertificates and private keys which are hidden from the rest of thesystem and are not readable by the rest of the system in one embodiment.The cryptographic accelerator 907 has access to the private keys andother data within the memory 905 and access to the memory 905 is notallowed for components outside of the secure processor 903. In oneembodiment, the cryptographic accelerator 907 can be coupled to anaccelerator memory 909 which can be a scratch pad memory used to performthe cryptographic operations that are performed by the cryptographicaccelerator 907. The application processor 921 can be coupled to one ormore buses 923 which are coupled to one or more input and output (I/O)devices 927, such as a touchscreen display a Bluetooth radio, an NFCradio, a Wi-Fi radio, etc. Other input and output devices can beincluded. The application processor 921 is also coupled to anapplication processor ROM 925, which provides software to boot theapplication processor. Similarly, the ROM 913 provides code to boot thesecure processor core 915 within the secure processor 903.

FIG. 10 is a flow diagram illustrating a method 1000 that enables a NANcompact SAE protocol, according to an embodiment. The NAN compact SAEprotocol enables encapsulation of SAE handshake messages into thesecured NDP setup handshake. Method 1000 can be performed by hardwareand software logic that establishes neighborhood awareness networkingdatapaths. Operations of method 1000 can conform largely to the NANcompact SAE protocol sequence illustrated in FIG. 4 and FIG. 5. Method1000 can be used to enhance the security of one-way authenticationtechniques that are used, for example, to establish a wirelessconnection over Wi-Fi to facilitate a data exchange. One-wayauthentication can be performed using QR code scan, passcode input, andsimilar techniques. One-way authentication can also be performed using astatic NFC connection.

Method 1000 includes operation 1002, which detects, during a discoverywindow, a neighboring client station that is to perform peer-to-peerWi-Fi communication via a Neighbor Awareness Networking (NAN) protocol.Method 1000 then proceeds to operation 1004 to negotiate, after thediscovery window, NAN protocol parameters for a datapath with theneighboring client station. The negotiation of operation 1004 includesexchanging NAN data path setup attributes in parallel with an exchangeof attributes for an encryption cipher. The encryption cipher can bebased on a simultaneous authentication of equals (SAE) protocol. Thenegotiation can additionally include performing a NAN data path setuphandshake process that includes sending or receiving a data path requestmessage, a data path response message, a data path confirm message, anda data path security install message. The negotiation can also includean SAE handshake that includes sending or receiving at least one SAEcommit message and at least one SAE confirm message.

Method 1000 additionally includes operation 1006, which generates keymaterial to encrypt the datapath using the SAE protocol. The keymaterial can be generated based on binary password material that isbased on a password that is received from the neighboring client stationvia an out-of-band channel or a password that is generated and presentedvia the out-of-band channel with the neighboring client station. In theabsence of an out-of-band password, in one embodiment a default passwordmay be used. The default password can be a binary password generated viaa hash function. An out-of-band password that is generated or receivedcan also be converted to a binary password via the hash function. One ormore SAE protocol attributes can be generated based on the binarypassword.

Method 1000 then proceeds to operation 1008, which establishes thedatapath with the neighboring client station. Once a datapath isestablished, the NAN compact SAE protocol described herein can also beused to enable SAE recovery and re-setup, as shown in FIG. 6 In oneembodiment, SAE recovery is enabled to cover a scenario in which akernel crash occurs and the NAN firmware on a device loses all keymaterial. SAE recovery enables the NAN host to recover the secured NDPwithout service/application involvement. In one embodiment, SAE re-setupenables the NAN device pair to re-establish a new secured NDP withoutconducting OOB authentication again, after the initial NDP isterminated. To enable SAE re-setup, method 1000 includes operation 1010,which stores a portion of the key-material to enable subsequent re-setupof the datapath.

It should be noted that the term “approximately” or “substantially” maybe used herein and may be interpreted as “as nearly as practicable,”“within technical limitations,” and the like. In addition, the use ofthe term “or” indicates an inclusive or (e.g. and/or) unless otherwisespecified.

In the foregoing description, example embodiments of a neighborawareness networking system have been described. It will be evident thatvarious modifications can be made thereto without departing from thebroader spirit and scope of the disclosure. The specification anddrawings are, accordingly, to be regarded in an illustrative senserather than a restrictive sense. The specifics in the descriptions andexamples provided may be used anywhere in one or more embodiments. Thevarious features of the different embodiments or examples may bevariously combined with some features included and others excluded tosuit a variety of different applications. Examples may include subjectmatter such as a method, means for performing acts of the method, atleast one machine-readable medium including instructions that, whenperformed by a machine cause the machine to perform acts of the method,or of an apparatus or system according to embodiments and examplesdescribed herein. Additionally, various components described herein canbe a means for performing the operations or functions described herein.

Other features of the present embodiments will be apparent from theaccompanying drawings and from the detailed description above.Accordingly, the true scope of the embodiments will become apparent tothe skilled practitioner upon a study of the drawings, specification,and following claims.

What is claimed is:
 1. An apparatus comprising: a memory; and at leastone processor in communication with the memory, wherein the at least oneprocessor is configured to: detect, during a discovery window, aneighboring client station that is to perform peer-to-peer Wi-Ficommunication via a Neighbor Awareness Networking (NAN) protocol; andestablish, via a negotiation after the discovery window, a datapath withthe neighboring client station that is detected during the discoverywindow, wherein the negotiation includes an exchange of NAN data pathsetup attributes in parallel with an exchange of attributes for anencryption cipher, wherein the encryption cipher is based on asimultaneous authentication of equals (SAE) protocol, and wherein theSAE protocol is used to generate key material to encrypt the datapath.2. The apparatus as in claim 1, wherein the negotiation includes a NANdata path setup handshake, the NAN data path setup handshake including adata path request message, a data path response message, a data pathconfirm message and a data path security install message.
 3. Theapparatus as in claim 1, wherein the negotiation includes an SAEhandshake, the SAE handshake including at least one SAE commit messageand at least one SAE confirm message.
 4. The apparatus as in claim 1,wherein the at least one processor is to generate a password and cause atransmission or presentation of the password to the neighboring clientstation via an out-of-band channel.
 5. The apparatus as in claim 1,wherein the at least one processor is to receive a password from theneighboring client station via an out-of-band channel.
 6. The apparatusas in claim 1, additionally comprising a NAN protocol enabledcommunications device coupled with the at least one processor, the NANprotocol enabled communications device including at least one antenna,at least one radio coupled to the at least one antenna, and at least oneprocessor.
 7. The apparatus as in claim 6, wherein the NAN protocolenabled communications device is to perform at least one of Wi-Ficommunication or Bluetooth communication.
 8. The apparatus as in claim6, wherein the NAN protocol enabled communications device is to:generate a default password, wherein the default password is a binarypassword generated via a hash function, the default password used togenerate key material to encrypt the datapath in absence of a passwordsupplied by the at least one processor; and generate one or more SAEprotocol attributes based on the binary password.
 9. The apparatus as inclaim 6, wherein the at least one processor is to: generate or receive apassword, the password used to generate key material to encrypt thedatapath; convert the password to a binary password via a hash function;and transmit the binary password to the NAN protocol enabledcommunications device.
 10. The apparatus as in claim 9, wherein the NANprotocol enabled communications device is to generate one or more SAEprotocol attributes based on the binary password received from the atleast one processor.
 11. The apparatus as in claim 10, wherein the atleast one processor is to store at least a first portion of the keymaterial in the memory, the NAN protocol enabled communications deviceis to internally store at least a second portion of the key material,and the NAN protocol enabled communications device is to recover orre-setup the datapath with the neighboring client station via at leastthe first portion of the key material or the second portion of the keymaterial.
 12. A non-transitory machine-readable medium storinginstructions to cause one or more processors of an electronic device toperform one or more operations comprising: detecting, during a discoverywindow, a neighboring client station that is to perform peer-to-peerWi-Fi communication via a Neighbor Awareness Networking (NAN) protocol;negotiating, after the discovery window, NAN protocol parameters for adatapath with the neighboring client station that is detected during thediscovery window, wherein the negotiating includes exchanging NAN datapath setup attributes in parallel with an exchange of attributes for anencryption cipher, wherein the encryption cipher is based on asimultaneous authentication of equals (SAE) protocol; generating keymaterial to encrypt the datapath using the SAE protocol; andestablishing the datapath with the neighboring client station.
 13. Thenon-transitory machine-readable medium as in claim 12, wherein thenegotiating includes performing a NAN data path setup handshake processand the NAN data path setup handshake process including a data pathrequest message, a data path response message, a data path confirmmessage, and a data path security install message.
 14. Thenon-transitory machine-readable medium as in claim 12, wherein thenegotiating includes an SAE handshake, the SAE handshake including atleast one SAE commit message and at least one SAE confirm message. 15.The non-transitory machine-readable medium as in claim 12, theoperations additionally comprising generating a password andtransmitting or presenting the password to the neighboring clientstation via an out-of-band channel.
 16. The non-transitorymachine-readable medium as in claim 12, the operations additionallycomprising receiving a password from the neighboring client station viaan out-of-band channel.
 17. The non-transitory machine-readable mediumas in claim 12, the operations additionally comprising: via a NANprotocol enabled communications device coupled with the one or moreprocessors: generating a default password, wherein the default passwordis a binary password generated via a hash function, the default passwordused to generate key material to encrypt the datapath in absence of anout-of-band password supplied by the one or more processors; andgenerating one or more SAE protocol attributes based on the binarypassword.
 18. The non-transitory machine-readable medium as in claim 12,the operations additionally comprising: generating or receiving apassword used to generate key material to encrypt the datapath; convertthe password to a binary password via a hash function; and transmit thebinary password to a NAN protocol enabled communications device coupledwith the one or more processors.
 19. The non-transitory machine-readablemedium as in claim 18, wherein the NAN protocol enabled communicationsdevice is to generate one or more SAE protocol attributes based on thebinary password.
 20. The non-transitory machine-readable medium as inclaim 19, the operations additionally comprising storing at least afirst portion of the key material in a memory coupled with the one ormore processors, wherein the NAN protocol enabled communications deviceis to internally store at least a second portion of the key material,and the NAN protocol enabled communications device is to recover orre-setup the datapath with the neighboring client station via at leastthe first portion of the key material or the second portion of the keymaterial.